Re: [secdir] Review of draft-freed-sieve-notary-07
Tero Kivinen <kivinen@iki.fi> Thu, 22 April 2010 09:14 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A4BC3A6A51; Thu, 22 Apr 2010 02:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[AWL=-0.835, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7eonpC-hu-V; Thu, 22 Apr 2010 02:14:05 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 8A05F3A6A24; Thu, 22 Apr 2010 02:14:02 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3M9DiUF020564 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Apr 2010 12:13:44 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3M9DgIW024619; Thu, 22 Apr 2010 12:13:42 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19408.4934.51757.287355@fireball.kivinen.iki.fi>
Date: Thu, 22 Apr 2010 12:13:42 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <4BCF2247.5040107@isode.com>
References: <19396.29206.787824.69029@fireball.kivinen.iki.fi> <4BCF2247.5040107@isode.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 14 min
X-Total-Time: 15 min
Cc: Cyrus Daboo <cyrus@daboo.name>, Ned Freed <ned.freed@mrochek.com>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-freed-sieve-notary-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 09:14:15 -0000
Alexey Melnikov writes: > The answer to your question is "it depends on an implementation". The > redirect action is defined in section 4.2 of RFC 5228, which says: > > The envelope sender address on the outgoing message is chosen by the > sieve implementation. It MAY be copied from the message being > processed. However, if the message being processed has an empty > envelope sender address the outgoing message MUST also have an empty > envelope sender address. This last requirement is imposed to prevent > loops in the case where a message is redirected to an invalid address > when then returns a delivery status notification that also ends up > being redirected to the same invalid address. Ok. Then it might be good idea to mention this also in this document, as it affects where the status notifications are going to, i.e. if user decides he wants to request status notifications, he does not know whether it goes to the original author or to his own address. > >The number of delivery status notifications can be quite large, > >especially if the ":bytrace" option of the redirect is used, as then > >every single future step for email processing, will send "relayed" > >status notification, and if there is for example mail loop or similar, > >this can be several dozen of status notifications. > > > Can you clarify what do you mean by "every single future step for email > processing"? > > My recollection is that for any given SMTP path from a sender to a > recipient only a single "relay" DSN can be generated. No. If I send email from my home machine to kivinen@iki.fi address, and use the trace option of DELIVERYBY feature I will get one status notification when my local machine takes email in and relays it to iki.fi mail server. Then I get another status notification when the iki.fi email-server gets message in and forwards it to iki.fi-spam filter (this setting is per user setting and the spam processing is done on the other machine). Then I get next one when the spam filter machine is done running the spamassasin and forwards that email to my real end delivery address (which in my case happens to be my home machine kivinen.iki.fi). Then when my home machine gets the email again now with envelope receiver of kivinen@kivinen.iki.fi (as rewritten by the iki.fi machines) it will send me the fourth trace message. So every single machine which relays the email sends the status notification saying the email was relayed. Now when I noticed there is such feature, I have found it quite useful when debugging email problems. I am one of the maintainers of the iki.fi, which provides permanent email forwarding services, and quite often our members complain that their emails does not get through, and now I have easy way of sending one email with trace option and I can see from DSNs that the email goes through iki.fi machines without delays and problems, and that the email was delivered to the members next step machine (which usually does not enable DELIVERYBY so I do not get any further reports). So if someone enables trace option in the middle and then redirects the email to forward then there might be several of those relayed status notifications sent to either to the original author or to the one running the sieve (depending which envelope sender the sieve implementation used). > >This should most likely be mentioned in the security considerations > >section more clearly. The security considerations section do warn > >about generating status notification, and says that > > > > "Sites which limit the ability to request success notifications will > > also need to restrict the ability to request them using the > > redirect-dsn extension." > > > >but that does not help at all, as if the original senders site limits > >the ability to request notifications, the host running sieve email > >filter of the receiver might not have such restrictions, thus receiver > >can enable them even when they were forbidden from the sender. Ok, now this also makes bit more sense, as if the sieve implmentation decides to rewrite the envelope sender then this restriction is appropriate, but if it does not rewrite the envelope sender, then it does not help, as the machine running sieve might not know the policy required by the original senders machine, i.e. whether the original sender was allowed to request those status notifications or not. -- kivinen@iki.fi
- [secdir] Review of draft-freed-sieve-notary-07 Tero Kivinen
- Re: [secdir] Review of draft-freed-sieve-notary-07 Alexey Melnikov
- Re: [secdir] Review of draft-freed-sieve-notary-07 Tero Kivinen
- Re: [secdir] Review of draft-freed-sieve-notary-07 Alexey Melnikov
- Re: [secdir] Review of draft-freed-sieve-notary-07 Alexey Melnikov
- Re: [secdir] Review of draft-freed-sieve-notary-07 Ned Freed
- Re: [secdir] Review of draft-freed-sieve-notary-07 Tero Kivinen
- Re: [secdir] Review of draft-freed-sieve-notary-07 Tero Kivinen
- Re: [secdir] Review of draft-freed-sieve-notary-07 Alexey Melnikov
- Re: [secdir] Review of draft-freed-sieve-notary-07 Ned Freed
- Re: [secdir] Review of draft-freed-sieve-notary-07 Ned Freed
- Re: [secdir] Review of draft-freed-sieve-notary-07 Tero Kivinen
- Re: [secdir] Review of draft-freed-sieve-notary-07 Ned Freed